Fix challenge-protocol bypass during agent registration (CVE-2023-38201)

Resolves: rhbz#2222695 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2023-08-25 18:28:17 +02:00 · 2023-08-25 18:28:17 +02:00 · 6ac5a8f8e6
commit 6ac5a8f8e6
parent d9401cfa43
2 changed files with 54 additions and 1 deletions
--- a/0009-CVE-2023-38201.patch
+++ b/0009-CVE-2023-38201.patch
@ -0,0 +1,48 @@
+From 9e5ac9f25cd400b16d5969f531cee28290543f2a Mon Sep 17 00:00:00 2001
+From: Marcio Silva <marcio.a.silva@ibm.com>
+Date: Wed, 12 Jul 2023 12:05:47 -0300
+Subject: [PATCH] Fix for CVE-2023-38201 (Security Advisory
+ GHSA-f4r5-q63f-gcww)
+
+In addition to remove the offending message, this patch also ensures
+deletion of an agent's record from the database in case of failure after
+a single attempt.
+
+Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>
+---
+ keylime/registrar_common.py | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/keylime/registrar_common.py b/keylime/registrar_common.py
+index 1fd97cd0c..7f15ae430 100644
+--- a/keylime/registrar_common.py
+++ b/keylime/registrar_common.py
+@@ -250,7 +250,9 @@ def get_network_params(
+             try:
+                 port = int(port)
+                 if port < 1 or port > 65535:
+-                    logger.warning("Contact port for agent %s is not a number between 1 and got: %s.", agent_id, port)
+                    logger.warning(
+                        "Contact port for agent %s is not a number between 1 and 65535 got: %s.", agent_id, port
+                    )
+                     port = None
+             except ValueError:
+                 logger.warning("Contact port for agent %s is not a valid number got: %s.", agent_id, port)
+@@ -447,7 +449,16 @@ def do_PUT(self) -> None:
+                     logger.error("SQLAlchemy Error: %s", e)
+                     raise
+             else:
+-                raise Exception(f"Auth tag {auth_tag} does not match expected value {ex_mac}")
+                if agent_id and session.query(RegistrarMain).filter_by(agent_id=agent_id).delete():
+                    try:
+                        session.commit()
+                    except SQLAlchemyError as e:
+                        logger.error("SQLAlchemy Error: %s", e)
+                        raise
+
+                raise Exception(
+                    f"Auth tag {auth_tag} for agent {agent_id} does not match expected value. The agent has been deleted from database, and a restart of it will be required"
+                )
+ 
+             web_util.echo_json_response(self, 200, "Success")
+             logger.info("PUT activated: %s", agent_id)
--- a/keylime.spec
+++ b/keylime.spec
@ -9,7 +9,7 @@

 Name:    keylime
 Version: 7.3.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust

 URL:            https://github.com/keylime/keylime
@ -25,6 +25,7 @@ Patch: 0005-elchecking-example-add-ignores-for-EV_PLATFORM_CONFI.patch
 Patch: 0006-Revert-mapping-changes.patch
 Patch: 0007-Handle-session-close-using-a-session-manager.patch
 Patch: 0008-verifier-should-read-parameters-from-verifier.conf-o.patch
+Patch: 0009-CVE-2023-38201.patch

 License: ASL 2.0 and MIT

@ -357,6 +358,10 @@ fi
 %license LICENSE

 %changelog
+* Fri Aug 25 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-5
+- Fix challenge-protocol bypass during agent registration (CVE-2023-38201)
+  Resolves: rhbz#2222695
+
 * Tue Aug 22 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-4
 - Update spec file to use %verify(not md5 size mode mtime) for files updated in %post scriptlets
  Resolves: RHEL-475